full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] iiscan results

Re: [Full-disclosure] iiscan results

From: p8x <l_at_nospam>
Date: Thu Jan 07 2010 - 13:55:28 GMT
To: full-disclosure@lists.grok.org.uk


Hi Vincent,

I also experied the same issue as mrx. I did see multiple get and post requests to the same page.

As an example, I took a random page with a form on it, here are the totals: 2 /password.html 2 /password.html?key=88888&form_validated=12345&submit_form=88888 2 /password.html?key=88888&form_validated=12345&submit_form=88888' 2 /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6 2 /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6 2 /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'=' 2 /password.html?key=88888&submit_form=88888&form_validated=12345 2 /password.html?key=88888&submit_form=88888&form_validated=12345' 2 /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6 2 /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6 2 /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'=' 2 /password.html?submit_form=88888&form_validated=12345&key=88888 2 /password.html?submit_form=88888&form_validated=12345&key=88888' 2 /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6 2 /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6 2 /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'=' 4 /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5 4 /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5 4 /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'=' 4 /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5 4 /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5 4 /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'=' 4 /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5 4 /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5 4
/password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'='

Also, the contact forms on the websites I tested got hammered with emails (and they also seemed to have duplicate requests).

p8x

On 7/01/2010 8:00 PM, mrx wrote:
> Vincent,
>
> Although the actual results of the scan were displayed in English in the online html report,
> the suggested solutions were in fact in Chinese.
>
> Checking my access logs reveals multiple attempts of the same attack/probe, for example multiple identical POSTs to the same page:
>
> 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows
> NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"
>
> There are around 100 entries identical to the above in my log. I don't know if this is by design or not but it does seem to be a little inefficient.
>
>
> I also noticed there were no attempts at information disclosure via the TRACE method, nor were any attempts made at SQL injection despite my
> selecting "all" in the scan options. Not that my site is vulnerable in any way ;-)
>
> Hope this helps
>
> regards
> mrx
>
>
>
> Vincent Chao wrote:
>> Thank you for your analysis. It really helps me.
>
>> And I also found the PDF report mail to us is in Chinese, in the website of >> iiScan, however, to see the report of html or PDF format is English (of >> course can change to Chinese).
>
>> -----Original Message----- >> From: full-disclosure-bounces@lists.grok.org.uk >> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of mrx >> Sent: Wednesday, January 06, 2010 8:45 PM >> To: full-disclosure@lists.grok.org.uk >> Subject: [Full-disclosure] iiscan results
>
>> Well, this scanner managed to find a couple of low level vulnerabilities on >> my site which were missed by both Nikto and Nessus.
>
>> Two directories allowed a directory listing and a test.php file I created, >> an information disclosure vulnerability, was also detected. My dumb >> ass forgot to delete this "test.php" file after I finished testing the >> server.
>
>> Possible sensitive directories were also listed, however browsing to these >> directories returned 403 errors, blank pages or a wordpress logon >> prompt, which is what I expected.
>
>> So all in all this scanner seems to do it's job well. At least for a LAMP >> server running wordpress
>
>> Of course I have addressed the vulnerabilities reported.
>
>> My command of the Chinese language is limited to zero, so I cannot >> understand the pdf report emailed to me nor the information within the web >> based report. Hopefully the developers will address this language problem.
>
>> regards >> mrx
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/